JetPack and TwentyFifteen Vulnerable to DOM-based XSS

Disclosure-Image-Wordpress
Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.

DOM-based XSS

The XSS vulnerability is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks, the OWASP group explain it well:

DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.


Read More

Critical Persistent XSS 0day in WordPress

*Update 2015-04-27*: A patch has been released and made available by the WordPress Core Team in version 4.2.1 – Please update immediately.

Yes, you’ve read it right: a critical, unpatched zero-day vulnerability affecting WordPress’ comment mechanisms was disclosed earlier today by Klikki Oy.

Who’s Affected?

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the website’s code if the code runs when in a logged-in administrator browser.


Read More

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup from an XSS on Tweet Deck. This obviously set every hair on my neck on fire because it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow which had the following JavaScript code as an example – it should be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute in the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, revoking access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

As many might imagine, my life revolves around Information Security. If you’re like me, you’re undoubtedly seeing all these new posts talking to insecurities in WordPress themes, specifically a plethora of Cross-Site Scripting (XSS) vulnerabilities. Surprise, surprise, right? Yeah, no, not so much.

WordPress Theme XSS Vulnerabilities

Here are some of the posts I am referring to:


Read More

WordPress 3.3 XSS Vulnerability Patched (3.3.1 Released)

We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.

The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.

To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)

We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.